RAXE-2026-051 CRITICAL CVSS 9.8 v3.1 S2

Anthropic Claude Code CLI and Agent SDK OS Command Injection (CVE-2026-35022)

Agent Security 2026-04-12 M. Hirani TLP:GREEN
CVE-2026-35022

1. Executive Summary

A critical OS command injection vulnerability (CVE-2026-35022) in Anthropic Claude Code CLI (versions ≤ 2.1.91) and Claude Agent SDK for Python (versions ≤ 0.1.55) enables arbitrary command execution and credential exfiltration through malicious authentication helper configuration (VulnCheck advisory). Exploitation requires the ability to influence authentication settings, a prerequisite that can be met in CI/CD pipeline environments where Claude Code configuration is repository- or template-controlled (RAXE assessment). The CNA-submitted CVSS 3.1 base score is 9.8; NVD has not yet completed its own analysis (NVD, vulnStatus: Undergoing Analysis).

Organisations using Claude Code CLI in automated development or CI/CD workflows should upgrade immediately to versions above 2.1.91 (CLI) and 0.1.55 (SDK) (VulnCheck advisory).

2. Risk Rating

Dimension Rating Detail
Severity Critical CNA-submitted CVSS 3.1: 9.8 (NVD, Undergoing Analysis); CVSS 4.0: 9.3 (VulnCheck advisory)
Urgency High Patch available; no public PoC at time of writing
Scope Moderate Affects Claude Code CLI and Agent SDK deployments; requires ability to influence auth config (NVD)
Confidence High Confirmed by NVD entry, VulnCheck advisory, and independent researcher disclosure (Phoenix Security)
Business Impact High Credential theft and cloud infrastructure compromise via exfiltrated AWS/GCP credentials (RAXE assessment)

CVSS Divergence Note

Two CVSS versions are available from different sources. They use different scoring methodologies and are not directly comparable:

  • NVD (CNA-submitted): CVSS 3.1 Base Score 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, vulnStatus: Undergoing Analysis)
  • VulnCheck advisory: CVSS 4.0 Base Score 9.3, AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (VulnCheck advisory)

Both rate the vulnerability as critical. The CVSS 3.1 score of 9.8 is used for severity language in this report. This score is CNA-submitted and may change upon NVD completion of analysis.

3. Affected Products

Product Affected Versions Fixed Version Source
Anthropic Claude Code CLI ≤ 2.1.91 ≥ 2.1.92 (registry-confirmed upgrade target) VulnCheck advisory; npm registry
Claude Agent SDK for Python ≤ 0.1.55 ≥ 0.1.56 (registry-confirmed upgrade target) VulnCheck advisory; PyPI registry

Version source note: Post-affected upgrade targets exist in package registries (@anthropic-ai/claude-code@2.1.92 on npm, claude-agent-sdk==0.1.56 on PyPI), but no official Anthropic advisory explicitly maps these versions to the CVE-2026-35022 fix. Confidence is high on CVE/advisory facts, medium-high on remediation mapping.

Am I Affected?

  1. Check if Claude Code CLI is installed: claude --version (RAXE assessment)
  2. Check if the Claude Agent SDK is installed: pip show claude-agent-sdk (RAXE assessment)
  3. If the version is ≤ 2.1.91 (CLI) or ≤ 0.1.55 (SDK), the installation is affected (VulnCheck advisory)
  4. If authentication helpers are configured (apiKeyHelper, awsAuthRefresh, awsCredentialExport, gcpAuthRefresh), the attack surface is active (NVD)

4. Abstract

CVE-2026-35022 is an OS command injection (CWE-78: "Improper Neutralization of Special Elements used in an OS Command") in the authentication helper execution path of Anthropic Claude Code CLI and Claude Agent SDK (NVD). Four authentication helper configuration parameters (apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh) are executed using shell=true without input validation (NVD). Exploitation requires the ability to influence authentication settings (NVD). Attackers who can modify these configuration values can inject shell metacharacters to execute arbitrary commands with the privileges of the user or automation environment, enabling credential theft and environment variable exfiltration (NVD).

5. Key Findings

  1. OS command injection via authentication helpers: Four configuration parameters are executed with shell=true without input validation, enabling arbitrary command injection (NVD)
  2. Cloud credential exposure: The vulnerable parameters (apiKeyHelper, awsAuthRefresh, awsCredentialExport, gcpAuthRefresh) are specifically designed to handle AWS and GCP cloud credentials (NVD)
  3. CI/CD pipeline risk: The configuration-level prerequisite for exploitation can be met in CI/CD environments where Claude Code configuration is repository- or template-controlled (RAXE assessment)
  4. No public PoC: No public proof-of-concept exploit code is available at time of writing
  5. Low EPSS: FIRST.org EPSS rates exploitation probability at 0.00318 (54.8th percentile), indicating below-average predicted exploitation (FIRST.org EPSS)

6. Attack Flow

 Attacker modifies Claude Code configuration
 (e.g., via malicious PR to shared repository)
              │
              ▼
 ┌──────────────────────────────────────┐
 │ Inject shell metacharacters into     │
 │ auth helper parameter:               │
 │ • apiKeyHelper                       │
 │ • awsAuthRefresh                     │
 │ • awsCredentialExport                │
 │ • gcpAuthRefresh                     │
 │                         (NVD)        │
 └──────────────────┬───────────────────┘
                    │
                    ▼
 ┌──────────────────────────────────────┐
 │ Claude Code executes auth helper     │
 │ with shell=true, no validation       │
 │                         (NVD)        │
 └──────────────────┬───────────────────┘
                    │
                    ▼
 ┌──────────────────────────────────────┐
 │ Injected commands execute with       │
 │ user/automation privileges           │
 │                         (NVD)        │
 └──────────────────┬───────────────────┘
                    │
                    ▼
 ┌──────────────────────────────────────┐
 │ Impact:                              │
 │ • Credential theft                   │
 │ • Environment variable exfiltration  │
 │ • Arbitrary command execution        │
 │                         (NVD)        │
 └──────────────────────────────────────┘

Provenance: All steps in this attack flow are derived from the NVD description of CVE-2026-35022.

7. Technical Details

Vulnerability Mechanics

The authentication helper execution path in Claude Code CLI and Agent SDK accepts configuration values for four parameters and executes them using shell=true without input validation (NVD). The vulnerable parameters are (NVD):

  • apiKeyHelper: API key retrieval helper
  • awsAuthRefresh: AWS authentication refresh command
  • awsCredentialExport: AWS credential export command
  • gcpAuthRefresh: GCP authentication refresh command

The shell=true execution mode passes the configuration value to the system shell interpreter, allowing shell metacharacters (;, $(), backticks, pipes) to be interpreted as command separators or command substitution operators (RAXE assessment based on CWE-78 pattern).

Authentication Prerequisite Analysis

The CVSS 3.1 vector specifies PR:N (no privileges required) (NVD). However, the NVD description states exploitation requires the ability to "influence authentication settings" (NVD). This configuration-level prerequisite is not captured in the CVSS scoring but represents a practical barrier to exploitation.

In CI/CD environments, this prerequisite may be met through (RAXE assessment):

  • Malicious pull requests modifying Claude Code configuration files in shared repositories
  • Compromised project-level .claude configuration directories
  • Supply chain attacks via shared development environment templates

Impact Analysis

Successful exploitation enables (NVD):

  • Arbitrary command execution with the privileges of the user or automation environment
  • Credential theft (API keys, cloud provider credentials)
  • Environment variable exfiltration

The cloud-credential-specific nature of the vulnerable parameters (awsAuthRefresh, awsCredentialExport, gcpAuthRefresh) makes this a potential path to cloud infrastructure compromise (RAXE assessment).

8. Confidence & Validation

Assessment Confidence: High

Aspect Status Detail
Vendor Advisory Not identified No official Anthropic advisory found at time of writing
CVE Assigned Yes CVE-2026-35022 (NVD, published 2026-04-06)
PoC Available No No public proof-of-concept at time of writing
Patch Available Implied / registry-confirmed upgrade targets Versions > 2.1.91 (CLI) and > 0.1.55 (SDK) implied by VulnCheck; @anthropic-ai/claude-code@2.1.92 and claude-agent-sdk==0.1.56 confirmed in registries; no Anthropic advisory explicitly maps these versions to the CVE fix
Exploited in Wild Not confirmed No KEV listing; no confirmed in-the-wild exploitation

NVD Analysis Status: The NVD entry for CVE-2026-35022 has vulnStatus "Undergoing Analysis"; NVD has not completed its own analysis (NVD). The CVSS 3.1 score of 9.8 present in the NVD record is CNA-submitted. This score may be adjusted upon NVD completion of analysis.

9. Detection Signatures

Detection Limitations

  • Host-level process monitoring (Sysmon, auditd) is required to observe child process spawning from the Claude Code CLI process (RAXE assessment)
  • Configuration content inspection rules are hunting-grade, not IOC-grade; shell metacharacters may appear in legitimate helper scripts (RAXE assessment)
  • The specific shell context and parameter format are not fully documented in the advisory (NVD)

Sigma Rule 1: Suspicious Child Process Spawn (Post-exploitation hunting, level: high)

title: Claude Code CLI Suspicious Child Process Spawn
id: raxe-2026-051-sigma-001
status: experimental
description: >
  Detects suspicious child processes spawned by the Claude Code CLI process,
  indicating potential OS command injection via CVE-2026-35022 (NVD). CWE-78.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-35022
author: RAXE Labs
date: 2026/04/12
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|endswith:
      - '/claude'
      - '/node'
    ParentCommandLine|contains: 'claude'
  selection_child:
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/curl'
      - '/wget'
      - '/python3'
      - '/nc'
  condition: selection_parent and selection_child
level: high
falsepositives:
  - Legitimate authentication helper scripts invoking shell commands

Sigma Rule 2: Credential Exfiltration Attempt (Post-exploitation hunting, level: high)

title: Credential Exfiltration via Claude Code Child Process
id: raxe-2026-051-sigma-003
status: experimental
description: >
  Detects child processes of Claude Code CLI reading or exfiltrating
  environment variables, consistent with CVE-2026-35022 impact (NVD). CWE-78.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-35022
author: RAXE Labs
date: 2026/04/12
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|endswith:
      - '/claude'
      - '/node'
    ParentCommandLine|contains: 'claude'
  selection_exfil:
    CommandLine|contains:
      - 'printenv'
      - '$AWS_SECRET'
      - '$AWS_ACCESS'
      - '$ANTHROPIC_API_KEY'
      - 'env | curl'
      - 'env | nc'
  condition: selection_parent and selection_exfil
level: high
falsepositives:
  - Legitimate auth helpers reading environment variables

Sigma Rule 3: Configuration Audit (Delivery telemetry, level: medium)

title: Claude Code Config with Shell Metacharacters in Auth Helpers
id: raxe-2026-051-sigma-002
status: experimental
description: >
  Detects Claude Code configuration files containing shell metacharacters
  in auth helper parameters. Hunting rule; may match legitimate helpers.
  CVE-2026-35022 (NVD). CWE-78.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-35022
author: RAXE Labs
date: 2026/04/12
logsource:
  category: file_change
  product: linux
detection:
  selection_file:
    TargetFilename|contains: '.claude'
  selection_content:
    FileContent|contains:
      - 'apiKeyHelper'
      - 'awsAuthRefresh'
      - 'awsCredentialExport'
      - 'gcpAuthRefresh'
  condition: selection_file and selection_content
level: medium
falsepositives:
  - Legitimate Claude Code configuration with auth helpers

10. Detection & Mitigation

Immediate Remediation

  1. Patch: Upgrade Claude Code CLI above version 2.1.91 and Claude Agent SDK for Python above version 0.1.55 (VulnCheck advisory)

Short-term Hardening

  1. Audit authentication helpers: Review all values configured for apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh for unexpected content or shell metacharacters (NVD)
  2. Restrict configuration access: Protect Claude Code configuration files from modification by untrusted processes or users, particularly in CI/CD pipelines (RAXE assessment)
  3. Monitor for anomalous child processes: Deploy Sigma rules from Section 9 to detect suspicious process spawning from the Claude Code CLI process (RAXE assessment)

Medium-term Monitoring

  1. Track NVD analysis: Monitor for NVD completion of analysis, which may adjust the CVSS score (NVD, vulnStatus: Undergoing Analysis)
  2. Watch for vendor advisory: Monitor for an official Anthropic advisory with confirmed fix versions and additional mitigation guidance (RAXE assessment)

11. Indicators of Compromise

Type Indicator Context
Behavioural Unexpected child processes (sh, bash, curl, wget, nc) spawned by Claude Code CLI Post-exploitation: command injection via auth helpers (RAXE assessment based on CWE-78)
Behavioural Environment variable reads (printenv, $AWS_SECRET, $ANTHROPIC_API_KEY) by Claude Code child processes Post-exploitation: credential exfiltration (NVD)
Configuration Shell metacharacters (;, $(), backticks, |) in auth helper parameter values Pre-exploitation: poisoned configuration (RAXE assessment based on CWE-78)

Note: All behavioural indicators are hunting-grade; they may also appear during legitimate authentication helper operations (RAXE assessment).

12. Strategic Context

CVE-2026-35022 highlights the emerging attack surface of AI-assisted development tooling (RAXE assessment). As AI coding assistants become integrated into CI/CD pipelines and automated workflows, their configuration and authentication mechanisms become targets for supply chain attacks (RAXE assessment). The vulnerability's focus on cloud credential helper parameters (awsAuthRefresh, gcpAuthRefresh) underscores the risk of credential theft through compromised developer tools (RAXE assessment).

This finding is relevant to the broader trend of AI agent security (Stream S2), where the tooling surrounding AI systems, not just the models themselves, presents exploitable attack surfaces (RAXE assessment).

13. References

  1. CVE-2026-35022: NVD entry (vulnStatus: Undergoing Analysis)
  2. VulnCheck Advisory: Anthropic Claude Code Agent SDK OS Command Injection
  3. Phoenix Security: Claude Code CLI: 3 Command Injection Flaws
  4. FIRST.org EPSS: CVE-2026-35022: Score 0.00318, percentile 54.8%
  5. npm registry: @anthropic-ai/claude-code 2.1.92: Registry-confirmed upgrade target
  6. PyPI: claude-agent-sdk 0.1.56: Registry-confirmed upgrade target